Thomas Baekdal has a great piece on the usability of passwords. He has
good evidence that using a password made up of three common words is on par
with using a six character jumble, like J4fS<2. The benefit of the former is
that it is much easier to remember, doesn’t need to be written down, and is
therefore more secure.

He focuses specifically on passwords, but I can see this extrapolated to
securing systems in other areas, too. The most common weaknesses are social.
Tire the user out and you’ve lost. Revisit the rules you enforce on your users
for their security. Is a lack of usability weakening your system in ways you
didn’t expect?